Dear Lifehacker,
I understand that signing up for "free" services like Gmail and Facebook require that I put my trust in a company and provide them with quite a bit of personal data. I know that data is supposed to be kept private, but with the amount of information and web activity that's tracked every day I'm started to worry. How paranoid should I be, and is there any way I can ensure my data isn't being used in ways I don't want?

You're right to be a little paranoid. When you're offering information to a company whose first priority is to turn a profit, there's cause for concern. That said, there's only so much a company is legally allowed to do. Additionally, there are steps you can take to reduce the amount of tracked information so you have fewer reasons to worry.

What Companies Can and Cannot Do With Your Information (According to the Law)

The good news is that your personal data is your data and a company is nearly never allowed to use it without your permission. The bad news is that your permission is easily given by accepting a contract—the terms and conditions you ignore and accept by clicking a button to claim that you read them—and simply interacting with the site. To get a better idea of where the law does and does not intervene, I spoke with professor Jane Yakowitz of Brooklyn Law School:

Sponsored

The Electronic Communications Privacy Act (which includes the U.S. Wiretap Act and the Stored Communications Act) prohibits people and companies from intercepting or accessing communications to which they are not a party. There are some exceptions for service providers as long as they use the information for the provision of services, but generally a company cannot collect data that was never directed to it. (This is why, e.g., Google got in trouble when its Google Street View vans intercepted and copied data transmitted over unsecured wireless Internet routers.)

That's the legal good news, but potential trouble arises when the U.S. law interprets what constitutes a conversation. Jane explains that the online definition is rather broad:

The ECPA won't apply to any data that transfers between your computer and, e.g., Amazon's computer while you surf amazon. This data is directed at Amazon— it is a party to the "conversation." Moreover, Amazon is free to disclose that data to other third parties, should it choose to do so. Thus, cookies and other web-tracking technologies that collect data about a computer user's visit to a website do not violate the ECPA. If Amazon placed a cookie that collects browser cache data or other data that was never intended to be exposed to Amazon, a computer user might have a claim under the Computer Fraud and Abuse Act (which is essentially an anti-hacking law), but the plaintiff would have to prove significant damages (a $5,000 minimum) in order to win at all. More importantly, I am not aware of these types of overly broad tracking technologies being used in practice. Suffice it to say there is no federal law that requires companies to get consent before placing a web-tracking cookie, and the uses of the collected data are similarly unconstrained.

The lack of government regulation on tracking data and its use is fairly unique to the United States. Some other countries require that the company provide a means for the customer to opt out of the web site's data tracking methods or, in some cases, even choose to allow it. While regulation might seem like a good idea, it has its downsides as well. In the United States, we do have some regulation regarding certain types of information. For example, you may remember that when Netflix CEO Reed Hastings spoke at the 2011 F8 Developer Conference for Facebook he discussed the limitations of integrating Netflix information into your news feed. While some countries do allow Netflix to disclose information regarding your activity if you provide permission, the United States imposes restrictions via the Video Privacy Protection Act that prevent the disclosure of your entertainment preferences. As a result, you can't automatically share what you're watching because Netflix isn't legally allowed to provide you with the means to do so. (Or, perhaps more accurately, they're being decidedly cautious to avoid a law suit like this one.)

A mother of two, who also happens to be gay (and not broadcasting it), is anonymously suing Netflix …
Read more Read more

What it all comes down to is that despite the regulation of some data, companies are mostly unrestricted with the ways they can use the information gathered by tracking what you do. Furthermore, there are few restrictions regarding the personal data that you willingly provide (e.g. photos you upload or status updates you post). Although there are privacy policies that detail, in great length, what companies will and will not do with your information, those policies can always change and companies are not necessarily required to notify you of those changes. The good news is that many do, but, again, it isn't required. While you'll never know exactly what a company might do with the personal data you provide and it tracks, you should always consider the possibilities before you disclose anything.

What You Can Do To Reduce How Much Companies Track You

The most important thing to remember is that you have complete control over what personal data you choose to provide to any given company. You do not have to post embarrassing photos to Facebook or shop for an erotic massager on Amazon. It's important to be aware of the trade you're making every time you willingly provide information with a company's web site. You should consider each interaction like a conversation with a potentially gossipy friend. Visiting a product page on Amazon while signed in to your account can be considered the same as telling someone "I'm interested in learning more about this product." If you want to keep any information private, simply do not share it. You have to take responsibility for what you do and do not share online.

In regards to tracking, however, you can opt out. You've likely heard of Do Not Track and a little about what it does. Simply put, it tells the sites you visit not to track you by adjusting your browser settings. Sometimes that's done through an extension and sometimes through settings within the browser. (You can learn how to enable Do Not Track methods for your browser here.)

What's so bad about ad tracking on the web, a.k.a. behavioral targeting? Nothing, if you…
Read more Read more

It also helps to know what information is actually being tracked so you can decide if you care. A browser extension called Ghostery can unveil the tracking methods used on most web sites. Just install it and it'll allow you to unveil the process so you can see how you're being tracked. You may find that your assumptions were a little off.

The Bottom Line

Browsing the internet and providing your data to companies who have no ethical obligation to you is worthy of a little paranoia, but you also have to remember that they're providing a service you want. This is ultimately a very long discussion with several complicated issues, but it really just comes down to your personal choice. You can share as much or as little as you want. The data you provide to Facebook or Google or whomever is up to you. Your paranoia over privacy should only reach so far as what level of concern the data you choose to share actually warrants. Basically, if you think before you disclose and prevent any unwanted tracking, you're making a reasonable effort to protect your personal privacy without giving up the "free" services you enjoy.